How to Fix OpenSSL Verify Error: unable to get local issuer certificate (num=20)

Relax after establishing connections

Here’s a summary and experience on how to fix the “verify error:num=20:unable to get local issuer certificate” issue when working with SSL/TLS connections.

Problem Description:

When establishing an SSL/TLS connection using tools like OpenSSL (openssl s_client) or libraries that rely on OpenSSL (), you may encounter the error message "verify error:num=20:unable to get local issuer certificate."

These verity commands are like “openssl s_client -connect login.microsoftonline.com:443”, “openssl s_client -servername login.microsoftonline.com -connect login.microsoftonline.com:443”, or “openssl s_client -connect google.com:443”.

This error indicates that the server’s certificate chain cannot be validated because the local issuer certificate is missing or not trusted.

Root Cause:

The root cause of this issue is usually a missing or outdated root CA certificate in the system’s trust store. The trust store contains a collection of trusted root CA certificates used to validate the authenticity of server certificates during SSL/TLS connections.

Solution Steps:

There are multiple potential solutions, like updating the CA certificates (“sudo yum update ca-certificates”) and verifying CA trust settings (“sudo update-ca-trust”). However, you may still get the same error when check the certificate chain. So try to follow these steps to fix the “unable to get local issuer certificate” issue:

Obtain a CA certificate bundle:

One option is to download a CA certificate bundle, such as the cacert.pem file, which contains a collection of trusted root CA certificates. This bundle can be obtained from trusted sources, like the cURL website (https://curl.se/ca/cacert.pem), or other certificate providers. Depending on your test machine, you can use “curl -o cacert.pem https://curl.se/ca/cacert.pem" to download it into your local directory.

Point to the CA file when testing SSL/TLS connections:

“openssl s_client -CAfile cacert.pem -servername <server> -connect <server>:<port>”

or

“openssl s_client -CAfile cacert.pem -connect <server>:<port>”

Replace <server> with the server hostname or IP address and <port> with the appropriate port number.

Then you will find the error disappears.

Experience and Tips:

Keep your system’s trust store up to date by regularly updating the root CA certificates. When encountering SSL/TLS validation issues, check if the local issuer certificate is present and trusted in the trust store. If the trust store is missing the necessary root CA certificate, download a trusted CA certificate bundle and point to it using the appropriate options or configurations in your SSL/TLS testing or application code. When doing these, it’s recommended to have appropriate permissions and follow established procedures or consult with your system administrator.

Scenarios:

If you read this post without meeting this error, here are some scenarios about where a web server needs to establish an SSL/TLS connection and may meet this error.

1. Web Server Connection: The web server needs to establish an SSL/TLS connection to either login.microsoftonline.com or google.com. This connection is typically used for various purposes, such as retrieving data from an external API, performing authentication, or integrating with external services.
2. SSL/TLS Connection: The openssl s_client is commonly used to test SSL/TLS connections from the command line. By running the openssl s_client command with the appropriate parameters, such as -connect and -servername, you can establish a connection to a specific server (login.microsoftonline.com or google.com) and view the SSL/TLS certificate details. “-showcerts” parameter could be used to show certs on your machine.